search

cortezaproject / corteza

Low-code platform
https://cortezaproject.org
Apache License 2.0
1.65k stars 378 forks source link

Allow blocking changing preset filters #2038

Open rsyrnicki opened 1 day ago

rsyrnicki commented 1 day ago

Is there an existing issue for this?

Version of Corteza

2023.9.8

Current Behavior

In a Record List Block, if "Users will be able to export records" is checked, and even if "Users will be able to filter the list" is unchecked, the user can change or delete all filters, even the preset ones, before exporting. So if I set a preset filter that only allows a user to see his own records, he can export the entire table by just deleting the filter. I wasn't able to find a solution, so I assume, it's a bug.

cort_record_1 cort_filter_1 cort_exp_1 cort_exp_2

Expected Behavior

I expected only the filters set by a user to be changable before export. The preset filters should be appended to the user filters with an "and" operator. Preset filters should not be changed by users.

Steps To Reproduce

  1. Run Corteza 2023.9.8 in Docker
  2. Create a module with data
  3. Create a page with a record list block that points to the created module
  4. Add any preset filter
  5. In the block, enable user export (see screenshots)
  6. Create a user (group authenticated)
  7. Log in as the new user
  8. Open the page and press export
  9. Now a user can delete a preset filter and export all data from the module

Environment and versions

No response

Anything else?

No response

Fajfa commented 1 day ago

This was actually intended, so if you can export records it was assumed the users might want to change the filter before exporting.

That being said, I do get your point and it probably makes sense to have that export filter controlled by the, "Users will be able to filter the list" option.

rsyrnicki commented 1 day ago

If it was intended, then is there another way to filter what a user can export from a module? For example with permissions? I feel like I'm missing something.

Fajfa commented 1 day ago

Yes, you can have record permissions that will prevent users from reading the record (and also exporting them)

rsyrnicki commented 1 day ago

Yes, you can have record permissions that will prevent users from reading the record (and also exporting them)

It seems there is no way to set record permissions to a user, only to a group. Is there a solution for that, other than creating a group for every user?

Fajfa commented 1 day ago

Users have roles, and roles have permissions. So there is no way around setting permissions only on roles. But you can have contextual roles, that are based on context. Check out the documentation for that.

rsyrnicki commented 1 day ago

you can have contextual roles, that are based on context. Check out the documentation for that.

That sounds promising. I'll check it out and close the issue if I managed to do it.